Yesterday, the security engineers at Netflix reported several TCP networking vulnerabilities in FreeBSD and Linux kernels. Out of these vulnerabilities, the most serious one is called “SACK Panic” that allows a remote attacker to trigger a kernel panic on recent Linux kernels.

Details on the TCP networking vulnerabilities

Netflix security engineers found four vulnerabilities in total. These were specifically related to the maximum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. MSS is a parameter in the TCP header of a packet that specifies the total amount of data a computer can receive in a single TCP segment. SACK is a mechanism that enables the data receiver to inform the sender about all the segments that have arrived successfully.

Soon after, Red Hat also listed the vulnerabilities, background, and patches on their website and credited Netflix for reporting them. According to Red Hat, the extent of the impact of these vulnerabilities is limited to denial of service. “No privilege escalation or information leak is currently suspected,” Red Hat wrote in its post.

Sack Panic is the most severe vulnerability of all, that can be exploited by an attacker to induce an integer overflow by sending a crafted sequence of SACKs on a TCP connection with small MSS value. This can lead to a kernel panic that makes it difficult for the operating system to recover back to its normal state. This forces a restart and hence causes a denial of service attack.

The TCP retransmission queue in Linux kernels and the Rack send map in FreeBSD can be fragmented by sending a crafted sequence of SACKs. The attacker will then be able to exploit this fragmented queue to cause “an expensive linked-list walk for subsequent SACKs received” for that particular TCP connection.

This vulnerability was found in Linux 4.15 or previous versions and FreeBSD 12 using the RACK TCP Stack

A Linux kernel can be forced by an attacker to divide its responses into multiple TCP segments accommodating 8 bytes of data. Sending the same amount of data will now require more bandwidth and will also consume additional resources like CPU and NIC processing power.

This vulnerability was found in all Linux versions.

Next steps

The Netflix team has also mentioned the patches and workaround against each vulnerability in the official report. Red Hat has recommended two options to mitigate the CVE-2019-11477 and CVE-2019-11478 vulnerabilities:

Disabling the vulnerable component

Using iptables to drop connections with an MSS size that is able to exploit the vulnerability.

Red Hat will be making a ‘kpatch’ available for customers running supported versions of Red Hat Enterprise Linux 7 or greater. Red Hat customers using the affected versions are recommended to update them as soon as Red Hat makes the errata available. Additionally, they have also provided an Ansible playbook, ‘disable_tcpsack_mitigate.yml’, which will disable selective acknowledgments and make the change permanent. More information about the mitigation steps is available on Red Hat’s official website.